List:General Discussion« Previous MessageNext Message »
From:Johan Lundqvist Date:May 10 2006 9:26am
Subject:Re: 1' and '1' or '1
View as plain text  
Hi Dave,

1st: Never, never, never store passwords in plain text!! Just don't do 
it. Store a hash of the password (ie md5 or something else).

2nd: Never pass any input from the Internet directly into a query 
without first checking it for sql injection.

Take a look at Wikipedia article for a brief explanation and several 
links to further info.
http://en.wikipedia.org/wiki/SQL_injection

/Johan


Critters wrote:
> Hi
> A user was able to log into my site using:
> 1' and '1' or '1
> in the username and password box.
> 
> I ran the query 
> 
> SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1' and '1' or
> '1'
> 
> And it returned all rows. Can someone explain to me why this happens, and if the
> steps I took (replacing the ' with a blank space when the user submits the login form) is
> enough to prevent a similar "hack"
> 
> Appreciate any feedback.
> --
> Dave
Thread
1' and '1' or '1Critters10 May
  • Re: 1' and '1' or '1Sander Smeenk10 May
  • Re: 1' and '1' or '1Duncan Hill10 May
  • Re: 1' and '1' or '1Martijn Tonies10 May
  • Re: 1' and '1' or '1Chris Sansom10 May
  • Re: 1' and '1' or '1Johan Lundqvist10 May
    • Re: 1' and '1' or '1sheeri kritzer12 May
  • Re: 1' and '1' or '1Critters10 May
RE: 1' and '1' or '1Dewald Troskie10 May